ZOHO Mail is a business mail that includes integrated calendar, contacts, notes, and tasks apps. Initially I was looking for a stored XSS in the webmail, but I did not find it so I started checking the other services. I wondered if it was possible to inject malicious code via attachments in ZOHO Notes. By … Continue reading Stored XSS via cloud attachment
This is my first public disclosure on HackerOne. It is a partial disclosure, but the summary is clear: there was a stored XSS in the image preview feature via crafted attachment filename. #275274 – touch.mail.ru/messages – Stored XSS 07/10/2017 – I send the report 11/10/2017 – The vulnerability is fixed and the bug bounty reward … Continue reading Stored XSS in touch.mail.ru
In my own spare time I like to participate in the bug bounty programs. They are a hard challenge, but it is satisfying to find vulnerabilities in big companies. I usually look for XSS vulnerabilities, for this reason I have written a little python script to automate the search of XSS. XSSSonar is an open … Continue reading XSSSonar: python tool to look for XSS
